cli icon indicating copy to clipboard operation
cli copied to clipboard

Published 20 hours ago verified publisher icon npm

[BUG] npm ERR! Invalid Version: 0.4.0rc7

Open cen1 opened this issue 3 years ago • 18 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

This issue exists in the latest npm version

  • [X] I am using the latest npm

Current Behavior

"devDependencies": {
    "grunt-contrib-requirejs": "0.4.4",

npm install

npm timing metavuln:cache:get:security-advisory:grunt-contrib-requirejs:oqQhD6gohOi1xqkMRPIOAZpCHkjKcppi1RPlC6PTqAhjeB49iZCxKrLX/aF7dSQ+E/eL5DR6WO3Re5Y9xIdfGg== Completed in 2ms npm verb stack TypeError: Invalid Version: 0.4.0rc7 npm verb stack at new SemVer (/Users/me/.nvm/versions/node/v16.15.0/lib/node_modules/npm/node_modules/semver/classes/semver.js:38:13) npm verb stack at compareBuild (/Users/me/.nvm/versions/node/v16.15.0/lib/node_modules/npm/node_modules/semver/functions/compare-build.js:3:20) npm verb stack at /Users/me/.nvm/versions/node/v16.15.0/lib/node_modules/npm/node_modules/semver/functions/sort.js:2:51 npm verb stack at Array.sort () npm verb stack at Object.sort (/Users/me/.nvm/versions/node/v16.15.0/lib/node_modules/npm/node_modules/semver/functions/sort.js:2:36) npm verb stack at Advisory.[calculateRange] (/Users/me/.nvm/versions/node/v16.15.0/lib/node_modules/npm/node_modules/@npmcli/metavuln-calculator/lib/advisory.js:169:28) npm verb stack at Advisory.load (/Users/me/.nvm/versions/node/v16.15.0/lib/node_modules/npm/node_modules/@npmcli/metavuln-calculator/lib/advisory.js:157:28) npm verb stack at Calculator.[calculate] (/Users/me/.nvm/versions/node/v16.15.0/lib/node_modules/npm/node_modules/@npmcli/metavuln-calculator/lib/index.js:60:14) npm verb stack at async Promise.all (index 8) npm verb stack at async Map.[init] (/Users/me/.nvm/versions/node/v16.15.0/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/audit-report.js:186:9) npm verb cwd /Users/me/git/org/myrepo npm verb Darwin 21.3.0 npm verb node v16.15.0 npm verb npm v8.12.1 npm ERR! Invalid Version: 0.4.0rc7

https://www.npmjs.com/package/grunt-contrib-requirejs

Lifting dependency version to 1.0.0 seems to work. What is weird is that I had this working fine just 2 weeks ago on node 16 and npm 8, now suddenly broken.

Same result on: node 15 + npm 7.7.6

Works on: node 14 + npm 6.14.17

Expected Behavior

No error.

Steps To Reproduce

  1. Node 16, npm 8
  2. devDependency on grunt-contrib-requirejs: 0.4.4
  3. npm install
  4. See error...above

Environment

  • npm: 8, 7
  • Node.js: 16
  • OS Name: Mac OS Monterey
  • System Model Name:
  • npm config:
; node bin location = /Users/me/.nvm/versions/node/v16.15.0/bin/node
; node version = v16.15.0
; npm local prefix = /Users/me/git/org/myrepo
; npm version = 8.12.1
; cwd = /Users/me/git/org/myrepo
; HOME = /Users/me
; Run `npm config ls -l` to show all defaults.

cen1 avatar Jun 05 '22 22:06 cen1

That version is indeed invalid. What's in your package.json's version field?

ljharb avatar Jun 06 '22 03:06 ljharb

2.0.0

cen1 avatar Jun 06 '22 07:06 cen1

I am also getting same error for node v16 but works with v14. But this worked fine few days back.

npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '[email protected]',
npm WARN EBADENGINE   required: { node: '0.x' },
npm WARN EBADENGINE   current: { node: 'v16.15.0', npm: '8.5.5' }
npm WARN EBADENGINE }
npm ERR! Invalid Version: 0.4.0rc7

bittu avatar Jun 06 '22 12:06 bittu

Maybe something in npm registry itself got changed and is now returning invalid versions? I've read somewhere these should be filtered anyway and never get down to the npm itself. See for example https://github.com/npm/npm/issues/11836#issuecomment-194453360

cen1 avatar Jun 06 '22 13:06 cen1

Ok. But how and when will this get fixed? All pipelines are blocked now for us.

bittu avatar Jun 06 '22 13:06 bittu

Bump!!!

Any update on this please...

bittu avatar Jun 07 '22 16:06 bittu

Our pipeline are blocked because of this

arjanfrans avatar Jun 08 '22 07:06 arjanfrans

I found one possible thing that may work by adding --no-audit flag, it went through once for me.

cen1 avatar Jun 08 '22 07:06 cen1

@cen1 Worked for me too

arjanfrans avatar Jun 08 '22 07:06 arjanfrans

node 16.15.0 npm 8.12.1 npm does not install modules properly (a lot of files are missing in various modules) and exiting with an error about scp2 npm ERR! Invalid Version: 0.1.0a2 I don't need to mention that everything worked fine before, do i? Adding the --no-audit flag makes it work again but should not be the solution imo Since this issue blocks all pipelines there is no choice for now. Please fix

wisc17 avatar Jun 09 '22 07:06 wisc17

change version grunt-contrib-requirejs to 1.0.0 and it solve problem for me.

insich avatar Jun 10 '22 09:06 insich

The problem is that npm has a tag cached for grunt-contrib-requirejs that is an invalid semantic version. Github does not have that tag, it must have been removed. We have an app using an older node and npm version which apparently does strict semver checks on all available versions from npm when trying to match the version spec in package.json. This is why just upgrading the version didn't work.

After all of the above fixes failed, we fixed it by changing

    "grunt-contrib-requirejs": "^0.4.4",

to

    "grunt-contrib-requirejs": "git+https://github.com/gruntjs/grunt-contrib-requirejs.git#v0.4.4",

in package.json. This way it fetches directly from git and does not try to parse the offending version from npm.

mikedfunk avatar Jun 10 '22 20:06 mikedfunk

Seems to be happening on my end with grunt-contrib-yuidoc": "1.0.0" and there's no reference to 0.4.0rc7 anywhere else in my code or dependency tree. Downgrading to node v14 with npm v6 work for now but that's not ideal.

limzykenneth avatar Jun 11 '22 13:06 limzykenneth

I've tracked down the problem to this chunk and reverting it seems to address the immediate problem. I don't know enough about what happens under the scene here to say what the fix proper could be.

limzykenneth avatar Jun 17 '22 13:06 limzykenneth

It's weird that npm has an opinion on version number to use in the first place.

I can understand it's nice if it is semver because it can understand more of it. But it should be able to use any sortable value like 77 which is the one I'm using. Just monotically increasing the number on every release. (ofc I can work around npm's wishes by adding .0.0 behind, but really?).

Also means date-based versions won't work, like 20220915 if that's your style.

 verbose stack Error: Invalid version: "77"                                                                                                            
 verbose stack     at Object.fixVersionField (/usr/lib/node_modules/npm/node_modules/normalize-package-data/lib/fixer.js:191:13)
 verbose stack     at /usr/lib/node_modules/npm/node_modules/normalize-package-data/lib/normalize.js:32:38

Have been running fine with this since I was on yarn, but suddenly something uses npm somewhere and this crashed :shrug:

odinho avatar Sep 15 '22 11:09 odinho

The ecosystem is for semver only and has always been.

ljharb avatar Sep 15 '22 14:09 ljharb

@ljharb Why does NPM allow packages that didn't follow semver to be published in the first place? If a package with version number like 0.4.0rc7 can be published on NPM but inaccessible by npm why it is there at all if the ecosystem has always been meant for semver?

limzykenneth avatar Sep 15 '22 14:09 limzykenneth

Good question - i assume a bug.

ljharb avatar Sep 15 '22 14:09 ljharb

Just to note that I find this has been fixed by https://github.com/npm/cli/commit/c7d5a69080b5de6ed0f1cdde77e7d7a3c6b05158 and is available in the latest npm release.

limzykenneth avatar Jan 08 '23 15:01 limzykenneth

nice, it’s fixed in v8.13+, specifically.

ljharb avatar Jan 08 '23 17:01 ljharb